<!DOCTYPE html>
<html lang="zh-CN">

<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
  <meta name="theme-color" content="#222">
  <meta name="generator" content="Hexo 5.4.0">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

  <link rel="stylesheet" href="/css/main.css">



  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.2/css/all.min.css">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css">

  <script class="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {
      "hostname": "holidaypenguin.gitee.io",
      "root": "/",
      "images": "/images",
      "scheme": "Mist",
      "version": "8.2.2",
      "exturl": false,
      "sidebar": {
        "position": "right",
        "display": "always",
        "padding": 18,
        "offset": 12
      },
      "copycode": true,
      "bookmark": {
        "enable": false,
        "color": "#222",
        "save": "auto"
      },
      "fancybox": false,
      "mediumzoom": false,
      "lazyload": false,
      "pangu": false,
      "comments": {
        "style": "tabs",
        "active": null,
        "storage": true,
        "lazyload": false,
        "nav": null
      },
      "motion": {
        "enable": true,
        "async": true,
        "transition": {
          "post_block": "fadeIn",
          "post_header": "fadeInDown",
          "post_body": "fadeInDown",
          "coll_header": "fadeInLeft",
          "sidebar": "slideUpIn"
        }
      },
      "prism": false,
      "i18n": {
        "placeholder": "搜索...",
        "empty": "没有找到任何搜索结果：${query}",
        "hits_time": "找到 ${hits} 个搜索结果（用时 ${time} 毫秒）",
        "hits": "找到 ${hits} 个搜索结果"
      },
      "path": "/search.xml",
      "localsearch": {
        "enable": true,
        "trigger": "auto",
        "top_n_per_article": 1,
        "unescape": false,
        "preload": false
      }
    };
  </script>
  <meta property="og:type" content="article">
  <meta property="og:title" content="跨域资源共享 CORS">
  <meta property="og:url" content="https://holidaypenguin.gitee.io/blob/2019-04-09-cross-domain-resource-sharing-cors/index.html">
  <meta property="og:site_name" content="HolidayPenguin">
  <meta property="og:locale" content="zh_CN">
  <meta property="article:published_time" content="2019-04-09T06:50:19.000Z">
  <meta property="article:modified_time" content="2019-04-09T06:50:19.000Z">
  <meta property="article:author" content="holidaypenguin">
  <meta property="article:tag" content="CORS">
  <meta name="twitter:card" content="summary">


  <link rel="canonical" href="https://holidaypenguin.gitee.io/blob/2019-04-09-cross-domain-resource-sharing-cors/">


  <script class="page-configurations">
    // https://hexo.io/docs/variables.html
    CONFIG.page = {
      sidebar: "",
      isHome: false,
      isPost: true,
      lang: 'zh-CN'
    };
  </script>
  <title>跨域资源共享 CORS | HolidayPenguin</title>





  <noscript>
    <style>
      body {
        margin-top: 2rem;
      }

      .use-motion .menu-item,
      .use-motion .sidebar,
      .use-motion .post-block,
      .use-motion .pagination,
      .use-motion .comments,
      .use-motion .post-header,
      .use-motion .post-body,
      .use-motion .collection-header {
        visibility: visible;
      }

      .use-motion .header,
      .use-motion .site-brand-container .toggle,
      .use-motion .footer {
        opacity: initial;
      }

      .use-motion .site-title,
      .use-motion .site-subtitle,
      .use-motion .custom-logo-image {
        opacity: initial;
        top: initial;
      }

      .use-motion .logo-line {
        transform: scaleX(1);
      }

      .search-pop-overlay,
      .sidebar-nav {
        display: none;
      }

      .sidebar-panel {
        display: block;
      }
    </style>
  </noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner">
        <div class="site-brand-container">
          <div class="site-nav-toggle">
            <div class="toggle" aria-label="切换导航栏" role="button">
              <span class="toggle-line"></span>
              <span class="toggle-line"></span>
              <span class="toggle-line"></span>
            </div>
          </div>

          <div class="site-meta">

            <a href="/" class="brand" rel="start">
              <i class="logo-line"></i>
              <h1 class="site-title">HolidayPenguin</h1>
              <i class="logo-line"></i>
            </a>
          </div>

          <div class="site-nav-right">
            <div class="toggle popup-trigger">
              <i class="fa fa-search fa-fw fa-lg"></i>
            </div>
          </div>
        </div>



        <nav class="site-nav">
          <ul class="main-menu menu">
            <li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li>
            <li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li>
            <li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li>
            <li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li>
            <li class="menu-item menu-item-search">
              <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
              </a>
            </li>
          </ul>
        </nav>



        <div class="search-pop-overlay">
          <div class="popup search-popup">
            <div class="search-header">
              <span class="search-icon">
                <i class="fa fa-search"></i>
              </span>
              <div class="search-input-container">
                <input autocomplete="off" autocapitalize="off" maxlength="80" placeholder="搜索..." spellcheck="false" type="search" class="search-input">
              </div>
              <span class="popup-btn-close" role="button">
                <i class="fa fa-times-circle"></i>
              </span>
            </div>
            <div class="search-result-container no-result">
              <div class="search-result-icon">
                <i class="fa fa-spinner fa-pulse fa-5x"></i>
              </div>
            </div>

          </div>
        </div>

      </div>


      <div class="toggle sidebar-toggle" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
      </div>

      <aside class="sidebar">

        <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
          <ul class="sidebar-nav">
            <li class="sidebar-nav-toc">
              文章目录
            </li>
            <li class="sidebar-nav-overview">
              站点概览
            </li>
          </ul>

          <div class="sidebar-panel-container">
            <!--noindex-->
            <div class="post-toc-wrap sidebar-panel">
              <div class="post-toc animated">
                <ol class="nav">
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BB%80%E4%B9%88%E6%83%85%E5%86%B5%E4%B8%8B%E9%9C%80%E8%A6%81-CORS-%EF%BC%9F"><span class="nav-number">1.</span> <span class="nav-text">什么情况下需要 CORS ？</span></a></li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%8A%9F%E8%83%BD%E6%A6%82%E8%BF%B0"><span class="nav-number">2.</span> <span class="nav-text">功能概述</span></a></li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AE%80%E5%8D%95%E8%AF%B7%E6%B1%82"><span class="nav-number">3.</span> <span class="nav-text">简单请求</span></a>
                    <ol class="nav-child">
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E7%AE%80%E5%8D%95%E8%AF%B7%E6%B1%82%E6%9D%A1%E4%BB%B6"><span class="nav-number">3.1.</span> <span class="nav-text">简单请求条件</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E4%B8%BE%E4%BE%8B%E8%AF%B4%E6%98%8E"><span class="nav-number">3.2.</span> <span class="nav-text">举例说明</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%AE%8C%E6%95%B4%E5%AE%9E%E4%BE%8B"><span class="nav-number">3.3.</span> <span class="nav-text">完整实例</span></a></li>
                    </ol>
                  </li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%A2%84%E6%A3%80%E8%AF%B7%E6%B1%82"><span class="nav-number">4.</span> <span class="nav-text">预检请求</span></a>
                    <ol class="nav-child">
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E9%A2%84%E6%A3%80%E8%AF%B7%E6%B1%82%E6%9D%A1%E4%BB%B6"><span class="nav-number">4.1.</span> <span class="nav-text">预检请求条件</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E4%B8%BE%E4%BE%8B%E8%AF%B4%E6%98%8E-1"><span class="nav-number">4.2.</span> <span class="nav-text">举例说明</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%AE%8C%E6%95%B4%E5%AE%9E%E4%BE%8B-1"><span class="nav-number">4.3.</span> <span class="nav-text">完整实例</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#%E9%A2%84%E6%A3%80%E8%AF%B7%E6%B1%82%E4%B8%8E%E9%87%8D%E5%AE%9A%E5%90%91"><span class="nav-number">4.4.</span> <span class="nav-text">预检请求与重定向</span></a></li>
                    </ol>
                  </li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E9%99%84%E5%B8%A6%E8%BA%AB%E4%BB%BD%E5%87%AD%E8%AF%81%E7%9A%84%E8%AF%B7%E6%B1%82"><span class="nav-number">5.</span> <span class="nav-text">附带身份凭证的请求</span></a></li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#HTTP-%E5%93%8D%E5%BA%94%E9%A6%96%E9%83%A8%E5%AD%97%E6%AE%B5"><span class="nav-number">6.</span> <span class="nav-text">HTTP 响应首部字段</span></a></li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#HTTP-%E8%AF%B7%E6%B1%82%E9%A6%96%E9%83%A8%E5%AD%97%E6%AE%B5"><span class="nav-number">7.</span> <span class="nav-text">HTTP 请求首部字段</span></a></li>
                  <li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%9C%8D%E5%8A%A1%E7%AB%AF%E9%85%8D%E7%BD%AECORS"><span class="nav-number">8.</span> <span class="nav-text">服务端配置CORS</span></a>
                    <ol class="nav-child">
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#Nginx"><span class="nav-number">8.1.</span> <span class="nav-text">Nginx</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#Node"><span class="nav-number">8.2.</span> <span class="nav-text">Node</span></a></li>
                      <li class="nav-item nav-level-3"><a class="nav-link" href="#Koa"><span class="nav-number">8.3.</span> <span class="nav-text">Koa</span></a></li>
                    </ol>
                  </li>
                </ol>
                </li>
                <li class="nav-item nav-level-1"><a class="nav-link" href="#%E5%8F%82%E8%80%83"><span class="nav-number"></span> <span class="nav-text">参考</span></a>
              </div>
            </div>
            <!--/noindex-->

            <div class="site-overview-wrap sidebar-panel">
              <div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
                <p class="site-author-name" itemprop="name">holidaypenguin</p>
                <div class="site-description" itemprop="description"></div>
              </div>
              <div class="site-state-wrap site-overview-item animated">
                <nav class="site-state">
                  <div class="site-state-item site-state-posts">
                    <a href="/archives/">

                      <span class="site-state-item-count">138</span>
                      <span class="site-state-item-name">日志</span>
                    </a>
                  </div>
                  <div class="site-state-item site-state-categories">
                    <a href="/categories/">

                      <span class="site-state-item-count">26</span>
                      <span class="site-state-item-name">分类</span></a>
                  </div>
                  <div class="site-state-item site-state-tags">
                    <a href="/tags/">

                      <span class="site-state-item-count">234</span>
                      <span class="site-state-item-name">标签</span></a>
                  </div>
                </nav>
              </div>
              <div class="links-of-author site-overview-item animated">
                <span class="links-of-author-item">
                  <a href="https://github.com/holidaypenguin" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;holidaypenguin" rel="noopener" target="_blank"><i class="github fa-fw"></i>GitHub</a>
                </span>
                <span class="links-of-author-item">
                  <a href="mailto:songshipeng2016@gmail.com" title="E-Mail → mailto:songshipeng2016@gmail.com" rel="noopener" target="_blank"><i class="envelope fa-fw"></i>E-Mail</a>
                </span>
              </div>



            </div>
          </div>
        </div>
      </aside>
      <div class="sidebar-dimmer"></div>


    </header>


    <div class="back-to-top" role="button">
      <i class="fa fa-arrow-up"></i>
      <span>0%</span>
    </div>

    <noscript>
      <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
    </noscript>


    <div class="main-inner post posts-expand">





      <div class="post-block">



        <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
          <link itemprop="mainEntityOfPage" href="https://holidaypenguin.gitee.io/blob/2019-04-09-cross-domain-resource-sharing-cors/">

          <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
            <meta itemprop="image" content="/images/avatar.gif">
            <meta itemprop="name" content="holidaypenguin">
            <meta itemprop="description" content="">
          </span>

          <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
            <meta itemprop="name" content="HolidayPenguin">
          </span>
          <header class="post-header">
            <h1 class="post-title" itemprop="name headline">
              跨域资源共享 CORS
            </h1>

            <div class="post-meta-container">
              <div class="post-meta">
                <span class="post-meta-item">
                  <span class="post-meta-item-icon">
                    <i class="far fa-calendar"></i>
                  </span>
                  <span class="post-meta-item-text">发表于</span>

                  <time title="创建时间：2019-04-09 14:50:19" itemprop="dateCreated datePublished" datetime="2019-04-09T14:50:19+08:00">2019-04-09</time>
                </span>
                <span class="post-meta-item">
                  <span class="post-meta-item-icon">
                    <i class="far fa-folder"></i>
                  </span>
                  <span class="post-meta-item-text">分类于</span>
                  <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                    <a href="/categories/HTTP/" itemprop="url" rel="index"><span itemprop="name">HTTP</span></a>
                  </span>
                </span>


                <span id="/blob/2019-04-09-cross-domain-resource-sharing-cors/" class="post-meta-item leancloud_visitors" data-flag-title="跨域资源共享 CORS" title="阅读次数">
                  <span class="post-meta-item-icon">
                    <i class="far fa-eye"></i>
                  </span>
                  <span class="post-meta-item-text">阅读次数：</span>
                  <span class="leancloud-visitors-count"></span>
                </span>
              </div>

              <div class="post-description">
                <!-- more -->
              </div>
            </div>
          </header>




          <div class="post-body" itemprop="articleBody">
            <p>CORS是一个W3C标准，全称是”跨域资源共享”（Cross-origin resource sharing）。</p>
            <p>它允许浏览器向跨源服务器，发出<code>XMLHttpRequest</code>请求，从而克服了AJAX只能同源使用的限制。</p>
            <p>跨域资源共享（CORS）是一种机制，它使用额外的HTTP头告诉浏览器让在一个源（域）上运行的Web应用程序有权从不同源服务器访问指定的资源。Web应用程序在请求具有与其自己的源不同的源（域，协议和端口）的资源时执行跨源HTTP请求。</p>
            <h2 id="什么情况下需要-CORS-？"><a href="#什么情况下需要-CORS-？" class="headerlink" title="什么情况下需要 CORS ？"></a>什么情况下需要 CORS ？</h2>
            <p>跨域资源共享标准（ <a target="_blank" rel="noopener" href="http://www.w3.org/TR/cors/">cross-origin sharing standard</a> ）允许在下列场景中使用跨域 HTTP 请求：</p>
            <ul>
              <li>前文提到的由 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/XMLHttpRequest">XMLHttpRequest</a> 或 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API">Fetch</a> 发起的跨域 HTTP 请求。</li>
              <li>Web 字体 (CSS 中通过 @font-face 使用跨域字体资源), <a target="_blank" rel="noopener" href="http://www.webfonts.info/wiki/index.php?title=@font-face_support_in_Firefox">因此，网站就可以发布 TrueType 字体资源，并只允许已授权网站进行跨站调用</a>。</li>
              <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL">WebGL 贴图</a></li>
              <li>使用 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/drawImage">drawImage</a> 将 Images/video 画面绘制到 canvas</li>
              <li>样式表（使用 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/CSS/CSSOM_View">CSSOM</a>）</li>
            </ul>
            <h2 id="功能概述"><a href="#功能概述" class="headerlink" title="功能概述"></a>功能概述</h2>
            <p>跨域资源共享标准新增了一组 HTTP 首部字段，允许服务器声明哪些源站通过浏览器有权限访问哪些资源。另外，规范要求，对那些可能对服务器数据产生副作用的 HTTP 请求方法（特别是 <code>GET</code> 以外的 HTTP 请求，或者搭配某些 <code>MIME</code> 类型的 <code>POST</code> 请求），浏览器必须首先使用 <code>OPTIONS</code> 方法发起一个预检请求（preflight request），从而获知服务端是否允许该跨域请求。服务器确认允许之后，才发起实际的 HTTP 请求。在预检请求的返回中，服务器端也可以通知客户端，是否需要携带身份凭证（包括 Cookies 和 HTTP 认证相关数据）。</p>
            <p>CORS请求失败会产生错误，但是为了安全，在JavaScript代码层面是无法获知到底具体是哪里出了问题。你只能查看浏览器的控制台以得知具体是哪里出现了错误。</p>
            <p>浏览器将CORS请求分成两类：简单请求（simple requests）和预检请求（Preflighted requests）。</p>
            <h2 id="简单请求"><a href="#简单请求" class="headerlink" title="简单请求"></a>简单请求</h2>
            <h3 id="简单请求条件"><a href="#简单请求条件" class="headerlink" title="简单请求条件"></a>简单请求条件</h3>
            <p>只要同时满足以下条件，就属于简单请求。</p>
            <ul>
              <li>请求方法使用下列方法之一：<ul>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Methods/GET">GET</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Methods/HEAD">HEAD</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Methods/POST">POST</a></li>
                </ul>
              </li>
              <li>Fetch 规范定义了<a target="_blank" rel="noopener" href="https://fetch.spec.whatwg.org/#cors-safelisted-request-header">对 CORS 安全的首部字段集合</a>，不得人为设置该集合之外的其他首部字段。该集合为：<ul>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Accept">Accept</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Accept-Language">Accept-Language</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Language">Content-Language</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Type">Content-Type</a>：只限于三个值application/x-www-form-urlencoded、multipart/form-data、text/plain</li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#dpr">DPR</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#downlink">Downlink</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#save-data">Save-Data</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#viewport-width">Viewport-Width</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#width">Width</a></li>
                </ul>
              </li>
              <li>请求中的任意<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/XMLHttpRequestUpload">XMLHttpRequestUpload</a> 对象均没有注册任何事件监听器；<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/XMLHttpRequestUpload">XMLHttpRequestUpload</a> 对象可以使用 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/XMLHttpRequest/upload">XMLHttpRequest.upload</a> 属性访问。</li>
              <li>请求中没有使用 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/ReadableStream">ReadableStream</a> 对象。</li>
            </ul>
            <p><strong>注意</strong><br>Accept, Accept-Language, 和 Content-Language 首部字段在 WebKit/Safari 中可能不会将这些请求视为“简单请求”。</p>
            <p>相关讨论：<br><a target="_blank" rel="noopener" href="https://bugs.webkit.org/show_bug.cgi?id=165178">Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language</a><br><a target="_blank" rel="noopener" href="https://bugs.webkit.org/show_bug.cgi?id=165566">Allow commas in Accept, Accept-Language, and Content-Language request headers for simple CORS</a><br><a target="_blank" rel="noopener" href="https://bugs.webkit.org/show_bug.cgi?id=166363">Switch to a blacklist model for restricted Accept headers in simple CORS requests</a></p>
            <h3 id="举例说明"><a href="#举例说明" class="headerlink" title="举例说明"></a>举例说明</h3>
            <p>下面是一个例子，浏览器发现这次跨源AJAX请求是简单请求，就自动在头信息之中，添加一个<code>Origin</code>字段。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">GET &#x2F;cors HTTP&#x2F;1.1</span><br><span class="line">Origin: http:&#x2F;&#x2F;api.bob.com</span><br><span class="line">Host: api.alice.com</span><br><span class="line">Accept-Language: en-US</span><br><span class="line">Connection: keep-alive</span><br><span class="line">User-Agent: Mozilla&#x2F;5.0...</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <p>上面的头信息中，<code>Origin</code>字段用来说明，本次请求来自哪个源（协议 + 域名 + 端口）。服务器根据这个值，决定是否同意这次请求。</p>
            <p>如果<code>Origin</code>指定的源，不在许可范围内，服务器会返回一个正常的HTTP回应。浏览器发现，这个回应的头信息没有包含<code>Access-Control-Allow-Origin</code>字段（详见下文），就知道出错了，从而抛出一个错误，被<code>XMLHttpRequest</code>的<code>onerror</code>回调函数捕获。注意，这种错误无法通过状态码识别，因为HTTP回应的状态码有可能是200。</p>
            <p>如果<code>Origin</code>指定的域名在许可范围内，服务器返回的响应，会多出几个头信息字段。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">Access-Control-Allow-Origin: http:&#x2F;&#x2F;api.bob.com</span><br><span class="line">Access-Control-Allow-Credentials: true</span><br><span class="line">Access-Control-Expose-Headers: FooBar</span><br><span class="line">Content-Type: text&#x2F;html; charset&#x3D;utf-8</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>上面的头信息之中，有三个与CORS请求相关的字段，都以<code>Access-Control-</code>开头。</p>
            <p><strong>（1）Access-Control-Allow-Origin</strong></p>
            <p>该字段是必须的。它的值要么是请求时Origin字段的值，要么是一个*，表示接受任意域名的请求。</p>
            <p><strong>（2）Access-Control-Allow-Credentials</strong></p>
            <p>该字段可选。它的值是一个布尔值，表示是否允许发送Cookie。默认情况下，Cookie不包括在CORS请求之中。设为<code>true</code>，即表示服务器明确许可，Cookie可以包含在请求中，一起发给服务器。这个值也只能设为<code>true</code>，如果服务器不要浏览器发送Cookie，删除该字段即可。</p>
            <p><strong>（3）Access-Control-Expose-Headers</strong></p>
            <p>该字段可选。CORS请求时，<code>XMLHttpRequest</code>对象的<code>getResponseHeader()</code>方法只能拿到6个基本字段：<code>Cache-Control</code>、<code>Content-Language</code>、<code>Content-Type</code>、<code>Expires</code>、<code>Last-Modified</code>、<code>Pragma</code>。如果想拿到其他字段，就必须在<code>Access-Control-Expose-Headers</code>里面指定。上面的例子指定，<code>getResponseHeader(&#39;FooBar&#39;)</code>可以返回<code>FooBar</code>字段的值</p>
            <h3 id="完整实例"><a href="#完整实例" class="headerlink" title="完整实例"></a>完整实例</h3>
            <p><a target="_blank" rel="noopener" href="http://arunranga.com/examples/access-control/simpleXSInvocation.html">一个简单请求的实例</a></p>
            <figure class="highlight html">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line"><span class="meta">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;</span></span><br><span class="line"><span class="meta">&lt;!DOCTYPE <span class="meta-keyword">html</span> <span class="meta-keyword">PUBLIC</span> <span class="meta-string">&quot;-//W3C//DTD XHTML 1.0 Strict//EN&quot;</span> <span class="meta-string">&quot;http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd&quot;</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">html</span> <span class="attr">xmlns</span>=<span class="string">&quot;http://www.w3.org/1999/xhtml&quot;</span> <span class="attr">xml:lang</span>=<span class="string">&quot;en&quot;</span> <span class="attr">lang</span>=<span class="string">&quot;en&quot;</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">head</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">title</span>&gt;</span>Simple use of Cross-Site XMLHttpRequest (Using Access Control)<span class="tag">&lt;/<span class="name">title</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">script</span> <span class="attr">type</span>=<span class="string">&quot;text/javascript&quot;</span>&gt;</span></span><br><span class="line"></span><br><span class="line"><span class="javascript">  <span class="keyword">var</span> invocation = <span class="keyword">new</span> XMLHttpRequest();</span></span><br><span class="line"><span class="javascript">  <span class="keyword">var</span> url = <span class="string">&#x27;http://aruner.net/resources/access-control-with-get/&#x27;</span>;</span></span><br><span class="line"><span class="javascript">  <span class="keyword">var</span> invocationHistoryText;</span></span><br><span class="line">  </span><br><span class="line"><span class="javascript">  <span class="function"><span class="keyword">function</span> <span class="title">callOtherDomain</span>(<span class="params"></span>) </span>&#123;</span></span><br><span class="line">    if(invocation)&#123;    </span><br><span class="line"><span class="javascript">      invocation.open(<span class="string">&#x27;GET&#x27;</span>, url, <span class="literal">true</span>);</span></span><br><span class="line">      invocation.onreadystatechange = handler;</span><br><span class="line">      invocation.send(); </span><br><span class="line"><span class="javascript">    &#125; <span class="keyword">else</span> &#123;</span></span><br><span class="line"><span class="javascript">      invocationHistoryText = <span class="string">&quot;No Invocation TookPlace At All&quot;</span>;</span></span><br><span class="line"><span class="javascript">      <span class="keyword">var</span> textNode = <span class="built_in">document</span>.createTextNode(invocationHistoryText);</span></span><br><span class="line"><span class="javascript">      <span class="keyword">var</span> textDiv = <span class="built_in">document</span>.getElementById(<span class="string">&quot;textDiv&quot;</span>);</span></span><br><span class="line">      textDiv.appendChild(textNode);</span><br><span class="line">    &#125;</span><br><span class="line">  &#125;</span><br><span class="line"><span class="javascript">  <span class="function"><span class="keyword">function</span> <span class="title">handler</span>(<span class="params">evtXHR</span>) </span>&#123;</span></span><br><span class="line">    if (invocation.readyState == 4) &#123;</span><br><span class="line">      if (invocation.status == 200) &#123;</span><br><span class="line"><span class="javascript">        <span class="keyword">var</span> response = invocation.responseXML;</span></span><br><span class="line"><span class="javascript">        <span class="keyword">var</span> invocationHistory = response.getElementsByTagName(<span class="string">&#x27;invocationHistory&#x27;</span>).item(<span class="number">0</span>).firstChild.data;</span></span><br><span class="line"><span class="javascript">        invocationHistoryText = <span class="built_in">document</span>.createTextNode(invocationHistory);</span></span><br><span class="line"><span class="javascript">        <span class="keyword">var</span> textDiv = <span class="built_in">document</span>.getElementById(<span class="string">&quot;textDiv&quot;</span>);</span></span><br><span class="line">        textDiv.appendChild(invocationHistoryText);</span><br><span class="line">      &#125;</span><br><span class="line"><span class="javascript">      <span class="keyword">else</span></span></span><br><span class="line"><span class="javascript">        alert(<span class="string">&quot;Invocation Errors Occured&quot;</span>);</span></span><br><span class="line">    &#125;</span><br><span class="line"><span class="javascript">    <span class="keyword">else</span></span></span><br><span class="line"><span class="javascript">      dump(<span class="string">&quot;currently the application is at&quot;</span> + invocation.readyState);</span></span><br><span class="line">  &#125;</span><br><span class="line">  <span class="tag">&lt;/<span class="name">script</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">head</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">body</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">form</span> <span class="attr">id</span>=<span class="string">&quot;controlsToInvoke&quot;</span> <span class="attr">action</span>=<span class="string">&quot;&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">p</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">&quot;button&quot;</span> <span class="attr">value</span>=<span class="string">&quot;Click to Invoke Another Site&quot;</span> <span class="attr">onclick</span>=<span class="string">&quot;callOtherDomain()&quot;</span> /&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">p</span>&gt;</span>    </span><br><span class="line">  <span class="tag">&lt;/<span class="name">form</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">p</span> <span class="attr">id</span>=<span class="string">&quot;intro&quot;</span>&gt;</span></span><br><span class="line">    This page basically makes invocations to another domain using cross-site XMLHttpRequest mitigated by Access Control.  This is the simple scenario that is <span class="tag">&lt;<span class="name">em</span>&gt;</span>NOT<span class="tag">&lt;/<span class="name">em</span>&gt;</span> preflighted, and the invocation to a resource on another domain takes place using a simple HTTP GET.</span><br><span class="line">  <span class="tag">&lt;/<span class="name">p</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">div</span> <span class="attr">id</span>=<span class="string">&quot;textDiv&quot;</span>&gt;</span></span><br><span class="line">    This XHTML document invokes another resource using cross-site XHR.</span><br><span class="line">  <span class="tag">&lt;/<span class="name">div</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">body</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">html</span>&gt;</span></span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <h2 id="预检请求"><a href="#预检请求" class="headerlink" title="预检请求"></a>预检请求</h2>
            <p>与前述简单请求不同，“需预检的请求”要求必须首先使用 <code>OPTIONS</code> 方法发起一个预检请求到服务器，以获知服务器是否允许该实际请求。”预检请求“的使用，可以避免跨域请求对服务器的用户数据产生未预期的影响。</p>
            <h3 id="预检请求条件"><a href="#预检请求条件" class="headerlink" title="预检请求条件"></a>预检请求条件</h3>
            <p>当请求满足下述任一条件时，即应首先发送预检请求：</p>
            <ul>
              <li>使用了下面任一 HTTP 方法：<ul>
                  <li>PUT</li>
                  <li>DELETE</li>
                  <li>CONNECT</li>
                  <li>OPTIONS</li>
                  <li>TRACE</li>
                  <li>PATCH</li>
                </ul>
              </li>
              <li>人为设置了<a target="_blank" rel="noopener" href="https://fetch.spec.whatwg.org/#cors-safelisted-request-header">对 CORS 安全的首部字段集合</a>之外的其他首部字段。该集合为：<ul>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Accept">Accept</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Accept-Language">Accept-Language</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Language">Content-Language</a></li>
                  <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Content-Type">Content-Type</a>：不属于三个值application/x-www-form-urlencoded、multipart/form-data、text/plain</li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#dpr">DPR</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#downlink">Downlink</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#save-data">Save-Data</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#viewport-width">Viewport-Width</a></li>
                  <li><a target="_blank" rel="noopener" href="http://httpwg.org/http-extensions/client-hints.html#width">Width</a></li>
                </ul>
              </li>
            </ul>
            <p>请求中的<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/XMLHttpRequestUpload">XMLHttpRequestUpload</a> 对象注册了任意多个事件监听器。<br>请求中使用了<a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/ReadableStream">ReadableStream</a>对象。</p>
            <p><strong>注意</strong><br>Accept, Accept-Language, 和 Content-Language 首部字段在 WebKit/Safari 中可能不会将这些请求视为“简单请求”。</p>
            <h3 id="举例说明-1"><a href="#举例说明-1" class="headerlink" title="举例说明"></a>举例说明</h3>
            <p>下面是一段浏览器的JavaScript脚本。</p>
            <figure class="highlight js">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line"><span class="keyword">var</span> url = <span class="string">&#x27;http://api.alice.com/cors&#x27;</span>;</span><br><span class="line"><span class="keyword">var</span> xhr = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line">xhr.open(<span class="string">&#x27;PUT&#x27;</span>, url, <span class="literal">true</span>);</span><br><span class="line">xhr.setRequestHeader(<span class="string">&#x27;X-Custom-Header&#x27;</span>, <span class="string">&#x27;value&#x27;</span>);</span><br><span class="line">xhr.send();</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>上面代码中，HTTP请求的方法是<code>PUT</code>，并且发送一个自定义头信息<code>X-Custom-Header</code>。</p>
            <p>浏览器发现，这是一个非简单请求，就自动发出一个”预检”请求，要求服务器确认可以这样请求。下面是这个”预检”请求的HTTP头信息。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">OPTIONS &#x2F;cors HTTP&#x2F;1.1</span><br><span class="line">Origin: http:&#x2F;&#x2F;api.bob.com</span><br><span class="line">Access-Control-Request-Method: PUT</span><br><span class="line">Access-Control-Request-Headers: X-Custom-Header</span><br><span class="line">Host: api.alice.com</span><br><span class="line">Accept-Language: en-US</span><br><span class="line">Connection: keep-alive</span><br><span class="line">User-Agent: Mozilla&#x2F;5.0...</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>“预检”请求用的请求方法是<code>OPTIONS</code>，表示这个请求是用来询问的。头信息里面，关键字段是<code>Origin</code>，表示请求来自哪个源。</p>
            <p>除了<code>Origin</code>字段，”预检”请求的头信息包括两个特殊字段。</p>
            <ul>
              <li>Access-Control-Request-Method<br>该字段是必须的，用来列出浏览器的CORS请求会用到哪些HTTP方法，上例是<code>PUT</code>。</li>
            </ul>
            <p>-（2）Access-Control-Request-Headers<br>该字段是一个逗号分隔的字符串，指定浏览器CORS请求会额外发送的头信息字段，上例是<code>X-Custom-Header</code>。</p>
            <p><strong>预检请求的回应</strong><br>服务器收到”预检”请求以后，检查了<code>Origin</code>、<code>Access-Control-Request-Method</code>和<code>Access-Control-Request-Headers</code>字段以后，确认允许跨源请求，就可以做出回应。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">HTTP&#x2F;1.1 200 OK</span><br><span class="line">Date: Mon, 01 Dec 2008 01:15:39 GMT</span><br><span class="line">Server: Apache&#x2F;2.0.61 (Unix)</span><br><span class="line">Access-Control-Allow-Origin: http:&#x2F;&#x2F;api.bob.com</span><br><span class="line">Access-Control-Allow-Methods: GET, POST, PUT</span><br><span class="line">Access-Control-Allow-Headers: X-Custom-Header</span><br><span class="line">Content-Type: text&#x2F;html; charset&#x3D;utf-8</span><br><span class="line">Content-Encoding: gzip</span><br><span class="line">Content-Length: 0</span><br><span class="line">Keep-Alive: timeout&#x3D;2, max&#x3D;100</span><br><span class="line">Connection: Keep-Alive</span><br><span class="line">Content-Type: text&#x2F;plain</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>上面的HTTP回应中，关键的是<code>Access-Control-Allow-Origin</code>字段，表示<code>http://api.bob.com</code>可以请求数据。该字段也可以设为星号，表示同意任意跨源请求。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">Access-Control-Allow-Origin: *</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>如果浏览器否定了”预检”请求，会返回一个正常的HTTP回应，但是没有任何CORS相关的头信息字段。这时，浏览器就会认定，服务器不同意预检请求，因此触发一个错误，被<code>XMLHttpRequest</code>对象的<code>onerror</code>回调函数捕获。控制台会打印出如下的报错信息。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">XMLHttpRequest cannot load http:&#x2F;&#x2F;api.alice.com.</span><br><span class="line">Origin http:&#x2F;&#x2F;api.bob.com is not allowed by Access-Control-Allow-Origin.</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>服务器回应的其他CORS相关字段如下。</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">Access-Control-Allow-Methods: GET, POST, PUT</span><br><span class="line">Access-Control-Allow-Headers: X-Custom-Header</span><br><span class="line">Access-Control-Allow-Credentials: true</span><br><span class="line">Access-Control-Max-Age: 1728000</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <ul>
              <li>
                <p>（1）Access-Control-Allow-Methods<br>该字段必需，它的值是逗号分隔的一个字符串，表明服务器支持的所有跨域请求的方法。注意，返回的是所有支持的方法，而不单是浏览器请求的那个方法。这是为了避免多次”预检”请求。</p>
              </li>
              <li>
                <p>（2）Access-Control-Allow-Headers<br>如果浏览器请求包括<code>Access-Control-Request-Headers</code>字段，则<code>Access-Control-Allow-Headers</code>字段是必需的。它也是一个逗号分隔的字符串，表明服务器支持的所有头信息字段，不限于浏览器在”预检”中请求的字段。</p>
              </li>
              <li>
                <p>（3）Access-Control-Allow-Credentials<br>该字段与简单请求时的含义相同。</p>
              </li>
              <li>
                <p>（4）Access-Control-Max-Age<br>该字段可选，用来指定本次预检请求的有效期，单位为秒。上面结果中，有效期是20天（1728000秒），即允许缓存该条回应1728000秒（即20天），在此期间，不用发出另一条预检请求。</p>
              </li>
            </ul>
            <p><strong>预检请求成功之后浏览器进行正常的CORS请求，就都跟简单请求一样，会有一个<code>Origin</code>头信息字段。服务器的回应，也都会有一个<code>Access-Control-Allow-Origin</code>头信息字段。</strong></p>
            <h3 id="完整实例-1"><a href="#完整实例-1" class="headerlink" title="完整实例"></a>完整实例</h3>
            <figure class="highlight html">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line"><span class="meta">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;</span></span><br><span class="line"><span class="meta">&lt;!DOCTYPE <span class="meta-keyword">html</span> <span class="meta-keyword">PUBLIC</span> <span class="meta-string">&quot;-//W3C//DTD XHTML 1.0 Strict//EN&quot;</span> <span class="meta-string">&quot;http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd&quot;</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">html</span> <span class="attr">xmlns</span>=<span class="string">&quot;http://www.w3.org/1999/xhtml&quot;</span> <span class="attr">xml:lang</span>=<span class="string">&quot;en&quot;</span> <span class="attr">lang</span>=<span class="string">&quot;en&quot;</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">head</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">title</span>&gt;</span>Simple use of Cross-Site XMLHttpRequest (Using Access Control)<span class="tag">&lt;/<span class="name">title</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">script</span> <span class="attr">type</span>=<span class="string">&quot;text/javascript&quot;</span>&gt;</span></span><br><span class="line"></span><br><span class="line"><span class="javascript">  <span class="keyword">var</span> invocation = <span class="keyword">new</span> XMLHttpRequest();</span></span><br><span class="line"><span class="javascript">  <span class="keyword">var</span> url = <span class="string">&#x27;http://aruner.net/resources/access-control-with-post-preflight/&#x27;</span>;</span></span><br><span class="line"><span class="javascript">  <span class="keyword">var</span> invocationHistoryText;</span></span><br><span class="line"><span class="handlebars"><span class="xml">  var body = &#x27;<span class="meta">&lt;?xml version=&quot;1.0&quot;?&gt;</span><span class="tag">&lt;<span class="name">person</span>&gt;</span><span class="tag">&lt;<span class="name">name</span>&gt;</span>Arun<span class="tag">&lt;/<span class="name">name</span>&gt;</span><span class="tag">&lt;/<span class="name">person</span>&gt;</span>&#x27;;</span></span></span><br><span class="line">  </span><br><span class="line"><span class="javascript">  <span class="function"><span class="keyword">function</span> <span class="title">callOtherDomain</span>(<span class="params"></span>) </span>&#123;</span></span><br><span class="line">    if(invocation) &#123;</span><br><span class="line"><span class="javascript">      invocation.open(<span class="string">&#x27;POST&#x27;</span>, url, <span class="literal">true</span>);</span></span><br><span class="line"><span class="javascript">      invocation.setRequestHeader(<span class="string">&#x27;X-PINGARUNER&#x27;</span>, <span class="string">&#x27;pingpong&#x27;</span>);</span></span><br><span class="line"><span class="javascript">      invocation.setRequestHeader(<span class="string">&#x27;Content-Type&#x27;</span>, <span class="string">&#x27;application/xml&#x27;</span>);</span></span><br><span class="line">      invocation.onreadystatechange = handler;</span><br><span class="line">      invocation.send(body); </span><br><span class="line"><span class="javascript">    &#125; <span class="keyword">else</span> &#123;</span></span><br><span class="line"><span class="javascript">      invocationHistoryText = <span class="string">&quot;No Invocation TookPlace At All&quot;</span>;</span></span><br><span class="line"><span class="javascript">      <span class="keyword">var</span> textNode = <span class="built_in">document</span>.createTextNode(invocationHistoryText);</span></span><br><span class="line"><span class="javascript">      <span class="keyword">var</span> textDiv = <span class="built_in">document</span>.getElementById(<span class="string">&quot;textDiv&quot;</span>);</span></span><br><span class="line">      textDiv.appendChild(textNode);</span><br><span class="line">    &#125;</span><br><span class="line">      </span><br><span class="line">  &#125;</span><br><span class="line"><span class="javascript">  <span class="function"><span class="keyword">function</span> <span class="title">handler</span>(<span class="params">evtXHR</span>) </span>&#123;</span></span><br><span class="line">    if (invocation.readyState == 4) &#123;</span><br><span class="line">      if (invocation.status == 200) &#123;</span><br><span class="line"><span class="javascript">        <span class="keyword">var</span> response = invocation.responseText;</span></span><br><span class="line"><span class="javascript">        <span class="comment">//var invocationHistory = response.getElementsByTagName(&#x27;invocationHistory&#x27;).item(0).firstChild.data;</span></span></span><br><span class="line"><span class="javascript">        invocationHistoryText = <span class="built_in">document</span>.createTextNode(response);</span></span><br><span class="line"><span class="javascript">        <span class="keyword">var</span> textDiv = <span class="built_in">document</span>.getElementById(<span class="string">&quot;textDiv&quot;</span>);</span></span><br><span class="line">        textDiv.appendChild(invocationHistoryText);</span><br><span class="line">          </span><br><span class="line"><span class="javascript">      &#125; <span class="keyword">else</span> &#123;</span></span><br><span class="line"><span class="javascript">        alert(<span class="string">&quot;Invocation Errors Occured &quot;</span> + invocation.readyState + <span class="string">&quot; and the status is &quot;</span> + invocation.status);</span></span><br><span class="line">      &#125;</span><br><span class="line"><span class="javascript">    &#125; <span class="keyword">else</span> &#123;</span></span><br><span class="line"><span class="javascript">      dump(<span class="string">&quot;currently the application is at&quot;</span> + invocation.readyState);</span></span><br><span class="line">    &#125;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="tag">&lt;/<span class="name">script</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">head</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">body</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">form</span> <span class="attr">id</span>=<span class="string">&quot;controlsToInvoke&quot;</span> <span class="attr">action</span>=<span class="string">&quot;&quot;</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;<span class="name">p</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;<span class="name">input</span> <span class="attr">type</span>=<span class="string">&quot;button&quot;</span> <span class="attr">value</span>=<span class="string">&quot;Click to Invoke Another Site&quot;</span> <span class="attr">onclick</span>=<span class="string">&quot;callOtherDomain()&quot;</span> /&gt;</span></span><br><span class="line">        <span class="tag">&lt;/<span class="name">p</span>&gt;</span>    </span><br><span class="line">    <span class="tag">&lt;/<span class="name">form</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">p</span> <span class="attr">id</span>=<span class="string">&quot;intro&quot;</span>&gt;</span></span><br><span class="line">    This page POSTs XML data to another domain using cross-site XMLHttpRequest mitigated by Access Control.  This is the preflight scenario and the invocation to a resource on another domain takes place using first an OPTIONS request, then an actual POST request.</span><br><span class="line">    <span class="tag">&lt;/<span class="name">p</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">div</span> <span class="attr">id</span>=<span class="string">&quot;textDiv&quot;</span>&gt;</span></span><br><span class="line">        This XHTML document POSTs to another resource using cross-site XHR.  If you get a response back, the content of that response should reflect what you POSTed.</span><br><span class="line">    <span class="tag">&lt;/<span class="name">div</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">body</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">html</span>&gt;</span></span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <h3 id="预检请求与重定向"><a href="#预检请求与重定向" class="headerlink" title="预检请求与重定向"></a>预检请求与重定向</h3>
            <p>大多数浏览器不支持针对于预检请求的重定向。如果一个预检请求发生了重定向，浏览器将报告错误：</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">The request was redirected to &#39;https:&#x2F;&#x2F;example.com&#x2F;foo&#39;, which is disallowed for cross-origin requests that require preflight</span><br><span class="line"></span><br><span class="line">Request requires preflight, which is disallowed to follow cross-origin redirect</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <p>在浏览器的实现跟上规范之前，有两种方式规避上述报错行为：</p>
            <ul>
              <li>在服务端去掉对预检请求的重定向；</li>
              <li>将实际请求变成一个简单请求。</li>
            </ul>
            <p>如果上面两种方式难以做到，我们仍有其他办法：</p>
            <ul>
              <li>发出一个简单请求（使用 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/Response/url">Response.url</a> 或 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/responseURL">XHR.responseURL</a>）以判断真正的预检请求会返回什么地址。</li>
              <li>发出另一个请求（真正的请求），使用在上一步通过<a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/Response/url">Response.url</a> 或 <a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/responseURL">XMLHttpRequest.responseURL</a>获得的URL。</li>
            </ul>
            <p>不过，如果请求是由于存在 Authorization 字段而引发了预检请求，则这一方法将无法使用。这种情况只能由服务端进行更改。</p>
            <h2 id="附带身份凭证的请求"><a href="#附带身份凭证的请求" class="headerlink" title="附带身份凭证的请求"></a>附带身份凭证的请求</h2>
            <p>一般而言，对于跨域 <code>XMLHttpRequest</code> 或 <code>Fetch</code> 请求，浏览器不会发送身份凭证信息。如果要发送凭证信息，需要设置 <code>XMLHttpRequest</code>的<code>withCredentials</code> 标志设置为 true，从而向服务器发送 Cookies。</p>
            <figure class="highlight js">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line"><span class="keyword">var</span> invocation = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line"><span class="keyword">var</span> url = <span class="string">&#x27;http://bar.other/resources/credentialed-content/&#x27;</span>;</span><br><span class="line">    </span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">callOtherDomain</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">  <span class="keyword">if</span>(invocation) &#123;</span><br><span class="line">    invocation.open(<span class="string">&#x27;GET&#x27;</span>, url, <span class="literal">true</span>);</span><br><span class="line">    invocation.withCredentials = <span class="literal">true</span>;</span><br><span class="line">    invocation.onreadystatechange = handler;</span><br><span class="line">    invocation.send(); </span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <p>如果服务器端的响应中未携带 <code>Access-Control-Allow-Credentials: true</code> ，浏览器将不会把响应内容返回给请求的发送者。</p>
            <p>对于附带身份凭证的请求，服务器不得设置 <code>Access-Control-Allow-Origin</code> 的值为“*”。</p>
            <p>这是因为请求的首部中携带了 <code>Cookie</code> 信息，如果 <code>Access-Control-Allow-Origin</code> 的值为“*”，请求将会失败。而将 <code>Access-Control-Allow-Origin</code> 的值设置为 <code>http://foo.example</code>，则请求将成功执行。</p>
            <p>另外，响应首部中也携带了 <code>Set-Cookie</code> 字段，尝试对 <code>Cookie</code> 进行修改。如果操作失败，将会抛出异常。</p>
            <h2 id="HTTP-响应首部字段"><a href="#HTTP-响应首部字段" class="headerlink" title="HTTP 响应首部字段"></a>HTTP 响应首部字段</h2>
            <ul>
              <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">Access-Control-Allow-Origin</a><br>响应首部中可以携带一个 <code>Access-Control-Allow-Origin</code> 字段，其语法如下:<figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Allow-Origin: &lt;origin&gt; | *</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
                其中，origin 参数的值指定了允许访问该资源的外域 URI。对于不需要携带身份凭证的请求，服务器可以指定该字段的值为通配符，表示允许来自所有域的请求。</li>
            </ul>
            <p>例如，下面的字段值将允许来自 <code>http://mozilla.com</code> 的请求：</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">Access-Control-Allow-Origin: http:&#x2F;&#x2F;mozilla.com</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>如果服务端指定了具体的域名而非“*”，那么响应首部中的 Vary 字段的值必须包含 Origin。这将告诉客户端：服务器对不同的源站返回不同的内容。</p>
            <ul>
              <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers">Access-Control-Expose-Headers</a><br>在跨域访问时，XMLHttpRequest对象的getResponseHeader()方法只能拿到一些最基本的响应头，Cache-Control、Content-Language、Content-Type、Expires、Last-Modified、Pragma，如果要访问其他头，则需要服务器设置本响应头。</li>
            </ul>
            <p><code>Access-Control-Expose-Headers</code> 头让服务器把允许浏览器访问的头放入白名单，例如：</p>
            <figure class="highlight plain">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <p>这样浏览器就能够通过<code>getResponseHeader</code>访问<code>X-My-Custom-Header</code>和 <code>X-Another-Custom-Header</code> 响应头了。</p>
            <ul>
              <li>
                <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Max-Age">Access-Control-Max-Age</a><br><code>Access-Control-Max-Age</code> 头指定了preflight请求的结果能够被缓存多久，请参考本文在前面提到的preflight例子。</p>
                <figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Max-Age: &lt;delta-seconds&gt;</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
                <p><code>delta-seconds</code> 参数表示preflight请求的结果在多少秒内有效。</p>
              </li>
              <li>
                <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials">Access-Control-Allow-Credentials</a><br><code>Access-Control-Allow-Credentials</code> 头指定了当浏览器的<code>credentials</code>设置为true时是否允许浏览器读取response的内容。当用在对preflight预检测请求的响应中时，它指定了实际的请求是否可以使用<code>credentials</code>。请注意：简单 GET 请求不会被预检；如果对此类请求的响应中不包含该字段，这个响应将被忽略掉，并且浏览器也不会将相应内容返回给网页。</p>
                <figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Allow-Credentials: true</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
              </li>
              <li>
                <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Allow-Methods">Access-Control-Allow-Methods</a><br><code>Access-Control-Allow-Methods</code> 首部字段用于预检请求的响应。其指明了实际请求所允许使用的 HTTP 方法。</p>
                <figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Allow-Methods: &lt;method&gt;[, &lt;method&gt;]*</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
              </li>
              <li>
                <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Allow-Methods">Access-Control-Allow-Headers</a><br><code>Access-Control-Allow-Headers</code> 首部字段用于预检请求的响应。其指明了实际请求中允许携带的首部字段。</p>
                <figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Allow-Headers: &lt;field-name&gt;[, &lt;field-name&gt;]*</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
              </li>
            </ul>
            <h2 id="HTTP-请求首部字段"><a href="#HTTP-请求首部字段" class="headerlink" title="HTTP 请求首部字段"></a>HTTP 请求首部字段</h2>
            <p>列出了可用于发起跨域请求的首部字段。请注意，这些首部字段无须手动设置。 当开发者使用 XMLHttpRequest 对象发起跨域请求时，它们已经被设置就绪。</p>
            <ul>
              <li><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Origin">Origin</a><br><code>Origin</code> 首部字段表明预检请求或实际请求的源站。<figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Origin: &lt;origin&gt;</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
                origin 参数的值为源站 URI。它不包含任何路径信息，只是服务器名称。</li>
            </ul>
            <blockquote>
              <p>Note: 有时候将该字段的值设置为空字符串是有用的，例如，当源站是一个 data URL 时。<br>注意，不管是否为跨域请求，ORIGIN 字段总是被发送。</p>
            </blockquote>
            <ul>
              <li>
                <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Request-Method">Access-Control-Request-Method</a><br><code>Access-Control-Request-Method</code> 首部字段用于预检请求。其作用是，将实际请求所使用的 HTTP 方法告诉服务器。</p>
                <figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Request-Method: &lt;method&gt;</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
              </li>
              <li>
                <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Access-Control-Request-Headers">Access-Control-Request-Headers</a><br><code>Access-Control-Request-Headers</code> 首部字段用于预检请求。其作用是，将实际请求所携带的首部字段告诉服务器。</p>
                <figure class="highlight plain">
                  <table>
                    <tr>
                      <td class="gutter">
                        <pre><span class="line">1</span><br></pre>
                      </td>
                      <td class="code">
                        <pre><span class="line">Access-Control-Request-Headers: &lt;field-name&gt;[, &lt;field-name&gt;]*</span><br></pre>
                      </td>
                    </tr>
                  </table>
                </figure>
              </li>
            </ul>
            <blockquote>
              <p>IE 10 提供了对规范的完整支持，但在较早版本（8 和 9）中，CORS 机制是借由 XDomainRequest 对象完成的。<br>Firefox 3.5 引入了对 XMLHttpRequests 和 Web 字体的跨域支持（但最初的实现并不完整，这在后续版本中得到完善）；Firefox 7 引入了对 WebGL 贴图的跨域支持；Firefox 9 引入了对 drawImage 的跨域支持。</p>
            </blockquote>
            <h2 id="服务端配置CORS"><a href="#服务端配置CORS" class="headerlink" title="服务端配置CORS"></a>服务端配置CORS</h2>
            <p>在服务端使用cors，因为服务端有很多种，所以这里只举例自己知道的Node、Nginx、Koa，如果有同学知道其他的方法，欢迎在评论里面添加。</p>
            <h3 id="Nginx"><a href="#Nginx" class="headerlink" title="Nginx"></a>Nginx</h3>
            <figure class="highlight bash">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">server &#123;</span><br><span class="line">  listen    80;</span><br><span class="line">  server_name  aaaaa.xxxx.me;</span><br><span class="line"></span><br><span class="line">  location / &#123;</span><br><span class="line">    <span class="keyword">if</span> (<span class="variable">$request_method</span> = <span class="string">&#x27;OPTIONS&#x27;</span>) &#123;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Origin&#x27;</span> <span class="string">&#x27;*&#x27;</span> ;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Credentials&#x27;</span> <span class="string">&#x27;false&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Methods&#x27;</span> <span class="string">&#x27;GET, POST, OPTIONS&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Headers&#x27;</span> <span class="string">&#x27;DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Max-Age&#x27;</span> 1728000;</span><br><span class="line">      add_header <span class="string">&#x27;Content-Type&#x27;</span> <span class="string">&#x27;text/plain charset=UTF-8&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Content-Length&#x27;</span> 0;</span><br><span class="line">      <span class="comment"># 预检请求直接返回</span></span><br><span class="line">      <span class="built_in">return</span> 204;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (<span class="variable">$request_method</span> = <span class="string">&#x27;POST&#x27;</span>) &#123;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Origin&#x27;</span> <span class="string">&#x27;*&#x27;</span> ;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Credentials&#x27;</span> <span class="string">&#x27;false&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Methods&#x27;</span> <span class="string">&#x27;GET, POST, OPTIONS&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Headers&#x27;</span> <span class="string">&#x27;DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> (<span class="variable">$request_method</span> = <span class="string">&#x27;GET&#x27;</span>) &#123;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Origin&#x27;</span> <span class="string">&#x27;*&#x27;</span> ;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Credentials&#x27;</span> <span class="string">&#x27;false&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Methods&#x27;</span> <span class="string">&#x27;GET, POST, OPTIONS&#x27;</span>;</span><br><span class="line">      add_header <span class="string">&#x27;Access-Control-Allow-Headers&#x27;</span> <span class="string">&#x27;DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type&#x27;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    proxy_connect_timeout   3;</span><br><span class="line">    proxy_send_timeout      30;</span><br><span class="line">    proxy_read_timeout      30;</span><br><span class="line">    proxy_pass http://localhost:9716;</span><br><span class="line">    proxy_redirect    off;</span><br><span class="line">    proxy_set_header Host <span class="variable">$host</span>;</span><br><span class="line">    proxy_set_header X-Real-IP <span class="variable">$remote_addr</span>;</span><br><span class="line">    proxy_set_header REMOTE-HOST <span class="variable">$remote_addr</span>;</span><br><span class="line">    proxy_set_header X-Forwarded-For <span class="variable">$proxy_add_x_forwarded_for</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <p>该示例不包含带有身份凭证请求的处理，如果需要可将<code>Access-Control-Allow-Origin</code>指定为特定协议+域名+端口的源，同时<code>Access-Control-Allow-Credentials</code>为true，这样会因为<code>Access-Control-Allow-Origin</code>一次只能配置一个源而无法配置多个源，可以使用map改善这个情况。</p>
            <figure class="highlight bash">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line">map <span class="variable">$http_origin</span> <span class="variable">$corsHost</span> &#123;</span><br><span class="line">    default 0;</span><br><span class="line">    <span class="string">&quot;~http://www.haibakeji.com&quot;</span> http://www.haibakeji.com;</span><br><span class="line">    <span class="string">&quot;~http://m.haibakeji.com&quot;</span> http://m.haibakeji.com;</span><br><span class="line">    <span class="string">&quot;~http://wap.haibakeji.com&quot;</span> http://wap.haibakeji.com;</span><br><span class="line">&#125;</span><br><span class="line">......</span><br><span class="line">add_header Access-Control-Allow-Origin <span class="variable">$corsHost</span>;</span><br><span class="line">......</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <h3 id="Node"><a href="#Node" class="headerlink" title="Node"></a>Node</h3>
            <p>定义一个中间件来添加响应标头，然后在处理app.get（或post等）之前使用 </p>
            <figure class="highlight js">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line"><span class="comment">//CORS middleware</span></span><br><span class="line"><span class="keyword">var</span> allowCrossDomain = <span class="function"><span class="keyword">function</span>(<span class="params">req, res, next</span>) </span>&#123;</span><br><span class="line">  res.header(<span class="string">&#x27;Access-Control-Allow-Origin&#x27;</span>, <span class="string">&#x27;http://example.com&#x27;</span>);</span><br><span class="line">  res.header(<span class="string">&#x27;Access-Control-Allow-Methods&#x27;</span>, <span class="string">&#x27;GET,PUT,POST,DELETE&#x27;</span>);</span><br><span class="line">  res.header(<span class="string">&#x27;Access-Control-Allow-Headers&#x27;</span>, <span class="string">&#x27;Content-Type&#x27;</span>);</span><br><span class="line"></span><br><span class="line">  next();</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">//...</span></span><br><span class="line">app.configure(<span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">  app.use(express.bodyParser());</span><br><span class="line">  app.use(express.cookieParser());</span><br><span class="line">  app.use(express.session(&#123; <span class="attr">secret</span>: <span class="string">&#x27;cool beans&#x27;</span> &#125;));</span><br><span class="line">  app.use(express.methodOverride());</span><br><span class="line">  app.use(allowCrossDomain);</span><br><span class="line">  app.use(app.router);</span><br><span class="line">  app.use(express.static(__dirname + <span class="string">&#x27;/public&#x27;</span>));</span><br><span class="line">&#125;);</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>
            <h3 id="Koa"><a href="#Koa" class="headerlink" title="Koa"></a>Koa</h3>
            <p>koa框架肯定是可以解决的，但是有一个优秀的插件将为我们省不少力气。<a target="_blank" rel="noopener" href="https://www.npmjs.com/package/koa2-cors">koa2-cors</a></p>
            <figure class="highlight js">
              <table>
                <tr>
                  <td class="gutter">
                    <pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre>
                  </td>
                  <td class="code">
                    <pre><span class="line"><span class="keyword">var</span> Koa = <span class="built_in">require</span>(<span class="string">&#x27;koa&#x27;</span>);</span><br><span class="line"><span class="keyword">var</span> cors = <span class="built_in">require</span>(<span class="string">&#x27;koa2-cors&#x27;</span>);</span><br><span class="line"> </span><br><span class="line"><span class="keyword">var</span> app = <span class="keyword">new</span> Koa();</span><br><span class="line">app.use(cors(&#123;</span><br><span class="line">  origin: <span class="function"><span class="keyword">function</span>(<span class="params">ctx</span>) </span>&#123;</span><br><span class="line">    <span class="keyword">if</span> (ctx.url === <span class="string">&#x27;/test&#x27;</span>) &#123;</span><br><span class="line">      <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="string">&#x27;*&#x27;</span>;</span><br><span class="line">  &#125;,</span><br><span class="line">  exposeHeaders: [<span class="string">&#x27;WWW-Authenticate&#x27;</span>, <span class="string">&#x27;Server-Authorization&#x27;</span>],</span><br><span class="line">  maxAge: <span class="number">5</span>,</span><br><span class="line">  credentials: <span class="literal">true</span>,</span><br><span class="line">  allowMethods: [<span class="string">&#x27;GET&#x27;</span>, <span class="string">&#x27;POST&#x27;</span>, <span class="string">&#x27;DELETE&#x27;</span>],</span><br><span class="line">  allowHeaders: [<span class="string">&#x27;Content-Type&#x27;</span>, <span class="string">&#x27;Authorization&#x27;</span>, <span class="string">&#x27;Accept&#x27;</span>],</span><br><span class="line">&#125;));</span><br></pre>
                  </td>
                </tr>
              </table>
            </figure>

            <p>这段代码只是一个小栗子，具体要查看文档了解详细内容</p>
            <h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1>
            <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a><br><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS">HTTP访问控制（CORS）(中)</a></p>
            <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API">Fetch API</a><br><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/API/Fetch_API">Fetch API(中)</a></p>
            <p><a target="_blank" rel="noopener" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control">Server-Side Access Control</a><br><a target="_blank" rel="noopener" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Server-Side_Access_Control">服务器端访问控制（CORS）(中)</a></p>
            <p><a target="_blank" rel="noopener" href="http://www.ruanyifeng.com/blog/2016/04/cors.html">跨域资源共享 CORS 详解</a></p>
            <p><a target="_blank" rel="noopener" href="https://www.haibakeji.com/archives/249.html">配置Nginx 允许多个域名跨域访问</a><br><a target="_blank" rel="noopener" href="https://blog.csdn.net/azureternite/article/details/52349219">在Node.js上启用CORS</a></p>

          </div>





          <footer class="post-footer">
            <div class="post-tags">
              <a href="/tags/CORS/" rel="tag"># CORS</a>
            </div>



            <div class="post-nav">
              <div class="post-nav-item">
                <a href="/blob/2019-04-09-ajax-cross-domain/" rel="prev" title="ajax 跨域">
                  <i class="fa fa-chevron-left"></i> ajax 跨域
                </a>
              </div>
              <div class="post-nav-item">
                <a href="/blob/2019-04-11-what-did-javascript-experience-in-2018/" rel="next" title="2018年，JavaScript都经历了什么">
                  2018年，JavaScript都经历了什么 <i class="fa fa-chevron-right"></i>
                </a>
              </div>
            </div>
          </footer>
        </article>
      </div>







      <script>
        window.addEventListener('tabs:register', () => {
          let {
            activeClass
          } = CONFIG.comments;
          if (CONFIG.comments.storage) {
            activeClass = localStorage.getItem('comments_active') || activeClass;
          }
          if (activeClass) {
            const activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
            if (activeTab) {
              activeTab.click();
            }
          }
        });
        if (CONFIG.comments.storage) {
          window.addEventListener('tabs:click', event => {
            if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
            const commentClass = event.target.classList[1];
            localStorage.setItem('comments_active', commentClass);
          });
        }
      </script>
    </div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


      <div class="copyright">
        &copy;
        <span itemprop="copyrightYear">2021</span>
        <span class="with-love">
          <i class="fa fa-heart"></i>
        </span>
        <span class="author" itemprop="copyrightHolder">holidaypenguin</span>
      </div>
      <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/mist/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
      </div>

    </div>
  </footer>


  <script size="300" alpha="0.1" zIndex="-1" src="https://cdn.jsdelivr.net/npm/ribbon.js@1.0.2/dist/ribbon.min.js"></script>
  <script src="https://cdn.jsdelivr.net/npm/animejs@3.2.1/lib/anime.min.js"></script>
  <script src="/js/love.js"></script>

  <script src="/js/development.js"></script>
  <script src="/js/utils.js"></script>
  <script src="/js/motion.js"></script>
  <script src="/js/schemes/muse.js"></script>
  <script src="/js/next-boot.js"></script>


  <script src="/js/local-search.js"></script>









  <script>
    (function() {
      function leancloudSelector(url) {
        url = encodeURI(url);
        return document.getElementById(url).querySelector('.leancloud-visitors-count');
      }

      function addCount(Counter) {
        const visitors = document.querySelector('.leancloud_visitors');
        const url = decodeURI(visitors.id);
        const title = visitors.dataset.flagTitle;

        Counter('get', '/classes/Counter?where=' + encodeURIComponent(JSON.stringify({
            url
          })))
          .then(response => response.json())
          .then(({
            results
          }) => {
            if (results.length > 0) {
              const counter = results[0];
              leancloudSelector(url).innerText = counter.time + 1;
              Counter('put', '/classes/Counter/' + counter.objectId, {
                  time: {
                    '__op': 'Increment',
                    'amount': 1
                  }
                })
                .catch(error => {
                  console.error('Failed to save visitor count', error);
                });
            } else {
              Counter('post', '/classes/Counter', {
                  title,
                  url,
                  time: 1
                })
                .then(response => response.json())
                .then(() => {
                  leancloudSelector(url).innerText = 1;
                })
                .catch(error => {
                  console.error('Failed to create', error);
                });
            }
          })
          .catch(error => {
            console.error('LeanCloud Counter Error', error);
          });
      }

      function showTime(Counter) {
        const visitors = document.querySelectorAll('.leancloud_visitors');
        const entries = [...visitors].map(element => {
          return decodeURI(element.id);
        });

        Counter('get', '/classes/Counter?where=' + encodeURIComponent(JSON.stringify({
            url: {
              '$in': entries
            }
          })))
          .then(response => response.json())
          .then(({
            results
          }) => {
            for (let url of entries) {
              const target = results.find(item => item.url === url);
              leancloudSelector(url).innerText = target ? target.time : 0;
            }
          })
          .catch(error => {
            console.error('LeanCloud Counter Error', error);
          });
      }

      const {
        app_id,
        app_key,
        server_url
      } = {
        "enable": true,
        "app_id": "povuqNsSqFodlakVIwtEX5kb-gzGzoHsz",
        "app_key": "zXD40RDtDB3DMtpC89k0AK7g",
        "server_url": null,
        "security": false
      };

      function fetchData(api_server) {
        const Counter = (method, url, data) => {
          return fetch(`${api_server}/1.1${url}`, {
            method,
            headers: {
              'X-LC-Id': app_id,
              'X-LC-Key': app_key,
              'Content-Type': 'application/json',
            },
            body: JSON.stringify(data)
          });
        };
        if (CONFIG.page.isPost) {
          if (CONFIG.hostname !== location.hostname) return;
          addCount(Counter);
        } else if (document.querySelectorAll('.post-title-link').length >= 1) {
          showTime(Counter);
        }
      }

      const api_server = app_id.slice(-9) === '-MdYXbMMI' ? `https://${app_id.slice(0, 8).toLowerCase()}.api.lncldglobal.com` : server_url;

      if (api_server) {
        fetchData(api_server);
      } else {
        fetch('https://app-router.leancloud.cn/2/route?appId=' + app_id)
          .then(response => response.json())
          .then(({
            api_server
          }) => {
            fetchData('https://' + api_server);
          });
      }
    })();
  </script>



<script>
            window.imageLazyLoadSetting = {
                isSPA: false,
                preloadRatio: 1,
                processImages: null,
            };
        </script><script>window.addEventListener("load",function(){var t=/\.(gif|jpg|jpeg|tiff|png)$/i,r=/^data:image\/[a-z]+;base64,/;Array.prototype.slice.call(document.querySelectorAll("img[data-original]")).forEach(function(a){var e=a.parentNode;"A"===e.tagName&&(e.href.match(t)||e.href.match(r))&&(e.href=a.dataset.original)})});</script><script>!function(n){n.imageLazyLoadSetting.processImages=o;var e=n.imageLazyLoadSetting.isSPA,i=n.imageLazyLoadSetting.preloadRatio||1,r=Array.prototype.slice.call(document.querySelectorAll("img[data-original]"));function o(){e&&(r=Array.prototype.slice.call(document.querySelectorAll("img[data-original]")));for(var t,a=0;a<r.length;a++)0<=(t=(t=r[a]).getBoundingClientRect()).bottom&&0<=t.left&&t.top<=(n.innerHeight*i||document.documentElement.clientHeight*i)&&function(){var t,e,n,i,o=r[a];t=o,e=function(){r=r.filter(function(t){return o!==t})},n=new Image,i=t.getAttribute("data-original"),n.onload=function(){t.src=i,e&&e()},t.src!==i&&(n.src=i)}()}o(),n.addEventListener("scroll",function(){var t,e;t=o,e=n,clearTimeout(t.tId),t.tId=setTimeout(function(){t.call(e)},500)})}(this);</script></body>

</html>